How To: Basic Server Security (CentOS 7) – April 2019

Out of the box, servers are often insecure and come with outdated software. In this guide we will be going through the basics of what you need to do to secure a server. This guide applies to CentOS 7 and was last updated April 2019.

1. Updates! Updates! Updates!

The first thing you need to focus on is updates. Ensuring your server is up to date is key, and you need to make sure you do this regularly. Downtime in the name of security is justifiable, but with the correct configuration and redundancy you can avoid downtime too (but that’s for another blog post).

To update in CentOS, run:

sudo yum update && yum upgrade

2. Firewall

2.1 – Install the firewall

My preference for a firewall for beginners is CSF + LFD (ConfigServer Firewall + Login Failure Daemon). To install CSF you’ll need to run the following commands:

You can whitelist your IP address to prevent you from getting locked out if you have too many incorrect password attempts, but only do this if you have a static IP. Do this by running:

csf -a 1.2.3.4 # Replace 1.2.3.4 with your IP Address (v4 or v6)

Once making a change, restart CSF with:

csf -r

3. Secure SSH

Securing SSH is the next important aspect. I’m going to assume you are already connecting to your server using public key auth with your own user in the wheel group (AWS, DigitalOcean, Azure, Linode use this by default) – if you aren’t using public key auth, do so.

We’re going to disable root login and disable login by passwords. This will prevent hackers from brute-forcing their way in over SSH to the default root account.